Blacklisting/Disabling AF_<arcane networking>

Ben Hutchings ben at decadent.org.uk
Thu Dec 2 00:00:19 UTC 2010 

On Tue, 2010-11-30 at 10:31 -0800, Kees Cook wrote:
> Hi Andy,
> 
> On Tue, Nov 30, 2010 at 02:29:56PM +0000, Andy Whitcroft wrote:
> > At UDS there was some discussion about how we have almost all of the
> > address family support AF_* built as modules.  This means that a simple
> > socket(AF_ARCANE_THING, ...) or indeed an incoming packet will trigger
> > loading of these modules and expose us to any security issues in those
> > modules.
> > 
> > The UDS discussion suggested that at least blacklisting any un-common
> > address families might be appropriate; a user requiring this would then
> > simply add the module to /etc/modules to re-enable it.  Futher discussion
> > on IRC and other places has suggested that some of these address families
> > do not even warrant building at all.  For example ECONET supports a
> > network which is very likely not even in existance let alone common on
> > our target hardware.
> > 
> > In the face of recent security alerts I am inclined to think that is an
> > entirly reasonable approach and am keen to understand any issues this
> > may cause.   How can we progress with this?
> 
> Totally agreed. My impulse is to pursue Dan Rosenberg's "do not autoload
> modules" approach:
> https://lkml.org/lkml/2010/11/7/212
> 
> But without that, we could also ship a file
> /etc/modprobe.d/blacklist-rarenet.conf that listed all the aliases, which
> is what Debian started doing:

That's not what we've done.

> alias net-pf-19 off
> alias net-pf-21 off
> ...

What we decided to do in Debian for the 'squeeze' release was to remove
these aliases from the modules.  An administrator can then re-add the
aliases in a local modprobe config file or add the modules to
/etc/modules.  (Or a userland support package may load the module, e.g.
decnet is loaded by dnet-common.)

I've now done this for af_802154, decnet, econet, rds and x25.

For future releases I intend to disable econet and possibly x25.  I also
proposed upstream to move decnet, econet and x25 into staging since they
have no regular maintainer, but this was NAK'd.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20101202/2d11afec/attachment.sig>

More information about the kernel-team mailing list